Anatomy of a Hack 2008

A few years ago I delivered a very popular presentation I called "Anatomy of a Hack." Well, actually, I called it "How to Get Your Network Hacked in 10 Easy Steps" but the marketing department at my previous employer thought that title was a bit, edgy, so they renamed it. The Chinese called it "Anatomy of a Hacker" at TechEd China in 2005, but that's another story altogether. The presentation, which is actually documented in Protect Your Windows Network, had me wandering through an entire network once I got a foothold on one computer.

For the past couple of years I've been telling people that the future of attacks are against people, not networks. In June I got further confirmation of that. A notification came in from my blog that I had a new comment to approve. The comment was just a link, looking like this one:

 A Comment has been posted to Jesper's Blog: Hey, Mozilla: Quotes Are Not Legal in a URL by Google Images:
images.google-us.info/index.html Google Images

This looked suspicious enough so I started investigating a bit. What I found just hit the net on The Register. I thought it made an interesting tale of how the bad guys are trying to monetize their handiwork. Sandi has also written about this on her blog here, and here, and here...

On a very much related note,  I will actually do a live walkthrough of this type of attack at TechEd EMEA ITPro in Barcelona this coming November. Yes, that's right, I'm going back to TechEd. Hope to see you there!

Posted 22 August 2008 02:46 PM by jesper | 7 comment(s)
Filed under: ,
Security is About Passwords and Credit Cards, Part 3

The final installment in my series called "Security is About Passwords and Credit Cards" is now up on TechNet Magazine. This part of the series discusses updating technologies, including how not to abuse them, messaging about security, and the checkbox syndrome. It ends with the final comments about what we, as an industry, need to do better on to improve our users' ability to protect themselves.

Posted 09 August 2008 11:14 PM by jesper | 1 comment(s)
Filed under:
Buy the original Olympic Torch from Beijing

"Buy the original Olympic Torch from Beijing"

That was one of the fake headlines in the latest "CNN.com Daily Top 10" malware spam I've been getting lately. This particular spam is a fake newsfeed which redirects you to one of many sites. All the sites have the same thing in common: they are designed to trick you into installing fake anti-malware software.

I sent some screenshots I took to Sandi, and she wrote up a nice warning about it.

Posted 08 August 2008 08:38 PM by jesper | 1 comment(s)
Filed under:
How Not To Build a Highly Available Web Site

Here's what I just got when I went to http://www.technetmagazine.com:

Here's the kicker: it's not TechNet Magazine that is down, nor even TechNet. It is Microsoft Live Sign-in, nee Passport. To get to TechNet it attempts to sign you in to Passport/Live sign-in. Accounts are apparently distributed across servers, and the one holding my account is down, so I can't get to anything that uses it, including the Microsoft.com homepage!

If you want to decrease the uptime on your web site, take a run-time dependency on an unreliable and unnecessary service.

Posted 22 July 2008 09:45 PM by jesper | 3 comment(s)
Filed under:
Security is About Passwords and Credit Cards Part 2

The second part of my "Security is About Passwords and Credit Cards" article just hit the web. This installment looks at logon processes, misleading security eye candy, and insecure communications with customers. As always, I'd love your thoughts on it.

Posted 03 July 2008 02:32 PM by jesper | 1 comment(s)
Filed under:
Security is About Passwords and Credit Cards

Security is About Passwords and Credit Cards. That's what a very nice lady told me a few months ago. At first I shrugged it off. Of course security is so much more than that. As I started to process it though I realized that is exactly what it is about to end-users. They don't care about the LMCompatibilityLevel, renaming admin accounts, UAC, SafeDllSearchMode, restricted tokens, or IDM. All they care about is to keep their credit cards safe, and the way they do that is by using a password. In the end, I started writing an article on it. When I was done, it was a three-installment piece. The first one just hit the web in the July issue of TechNet Magazine. Let me know what you think.

Posted 20 June 2008 02:27 PM by jesper | 3 comment(s)
Filed under:
Thoughts on Security by Obscurity

This has not really been that normal a week for me, but at least another article made it into print. The June 2008 issue of TechNet Magazine is headlined by an article I wrote with my friend Roger Grimes, Security Adviser for Infoworld, on Security by Obscurity. It is another one of those point-counterpoint pieces like we did in the Vista Security book where Roger argues one side of the issue, and I explain why he is wrong; or, rather, argue the other.

Posted 13 May 2008 10:46 AM by jesper | 3 comment(s)
Filed under: ,
Does your AMD-based computer boot after installing XP SP3?

 

Updates

  • Updated May 8 to add information on a second issue.
  • Updated May 9 to add information on possible additional issues as well as instructions for using the recovery console. 
  • Updated May 10 with some clarifications, a possible video driver problem causing other STOP errors, and an additional work-around for the ASUS motherboard.
  • Updated May 11 with a pointer to a Microsoft article on removing SP3, and added some information on a possible version for the faulting ATI Catalyst driver.
  • Updated May 12: Added information on free support, and a note on Media Center Digital Rights Management problems.
  • Updated May 13: Added some information on how to determine which control set to modify for the intelppm workaround. Also added a pointer to an HP support article on the problem and a request to verify a claim made in that article
  • Updated May 14: Received confirmation about how HP configures its computers. Added an explanation to how the problem occurs.
  • Updated Again on May 14: Not sure why I didn't think of this until now, but I wrote a small tool that will detect the IntelPPM problem and mitigate it before installing the service pack.
  • Updated May 20: Fixed the description of the intelppm.sys problem to more accurately represent how the problem occurs.
  • Updated May 22: Added a note on how to properly download the tool using Safari.
  • Updated May 24: Added information on conflicts with anti-malware software, including Symantec's suites. The short version is: you MUST disable any security software before installing SP3.
  • Updated June 4: Added information on a conflict with certain wireless cards.

 

Before you read on, read this!

There are several issues that can cause a Windows XP computer to not reboot properly after installing Service Pack 3. Most of them affect relatively specific configurations, and most appear to have relatively simple work-arounds. Please: do not do anything rash. I have seen a lot of reports of people who reformat and reinstall when they run into this problem, losing all their data in the process. There is often no need to do anything that drastic. First read this post, and see if anything here helps you. If not, call Microsoft's technical support line and see if they can't help you.  

If you have not yet installed SP3, make sure you disable, or better yet, remove, any anti-malware suite before doing so. If you do not, it is possible that you will get various kinds of corruption during the installation.

 

Free SP3 Support from Microsoft

EmilySc, a Microsoft employee, posted in the newsgroups yesterday that there is now free installation and troubleshooting support for SP3. This may be a real help to those who need interactive help solving the problem.

You can find all the support options on the Microsoft Support Website. In North America, free telephone support is available by calling (866) 234-6020.

 

The Problem

Last night WSUS deployed XP Service Pack 3 (SP3) to the sole remaining computer running XP that I have. This morning, I came down and was greeted with incessant reboots. The computer booted, apologized for not being able to boot properly, asked if I wanted to boot into safe mode, defaulted to normal boot, rebooted, and so on and so on. At this point, I want to clarify that the endless rebooting is not at all related to SP3 per se. The problem is that with some configurations, SP3 causes the computer to crash during boot, and Windows XP, by default, is set up to automatically reboot when it crashes. That is why you end up in the endless rebooting scenario.

There are many possible reasons why a computer may crash at boot time. SP3 seems to introduce two that are related to AMD-based computers, and, possibly, one or two more that appear to affect Intel-based computers. Which one it is impacts which work-around you use. At this point, the information is still trickling in. If you have a crash on boot problem that does not match what I describe below, and it happened as soon as you installed SP3, I'm sure others would like to know as well, including as much detail as you can give us.

 

First problem, affecting AMD-based computers with OEM images, primarily HP Desktops

NEW: Use this tool to mitigate the problem

If you have an AMD-based computer, and all you want to do is prevent the problem before installing Service Pack 3, then try the new tool I just wrote. It will first check whether you have an AMD-based computer. If you do it will check whether the IntelPPM driver is set to load. If it is it will offer you an option to disable it. The tool works by simply double-clicking it. If you need to check many computers on a network you can do that by running it from the command line, using this command:

removeIntelPPMonAMD.vbs <computer 1> <computer 2> <computer 3>...

It will take an arbitrary number of computers. The only caveat is that the tool will prompt you several times for each computer. If you really need a silent version, I can probably be persuaded to write one for you.

Note that if you are downloading the tool on Safari there is a bug in how Safari handles these types of downloads. If you just click on the link Safari will save the tool with a .txt extension instead and open it. You can remove that extension and then double-click the tool to run it. If you right-click the link and select "Download link as..." Safari will put the name on the containing page on the tool, not the name of the tool itself. You would need to rename it to something with a .vbs extension first to use it. Neither Firefox nor Internet Explorer makes it this difficult to download that tool, although Firefox does not properly handle right-clicking and selecting "Save link as..."

Disclaimer: the tool is provided "as is" with no warranty express or implied. It is designed to make changes to your system and those changes always carries a risk. Even though I have tested it as much as I can, I cannot guarantee that it will work for you. By running the tool you agree to hold me harmless for any damage it may cause to your computer.

Problem Details

In my case, the computer would boot into safe mode fine, so I did that. Not knowing what it was, I ran a disk check, which turned out to be a real mistake. Once I configured the computer to run a disk check at startup it would not even boot into safe mode.

Fortunately, I know Bill Castner, another Microsoft MVP, and he pointed me to a solution. It turns out that this computer is running an OEM OS image from HP. If you have an HP computer with a part number that ends with a 'z' you have an AMD-based computer. Other manufacturers have also shipped AMD-based computers, but it is unclear whether they have built their images the same way HP did.

The problem is that HP, and possibly other OEMs, deploy the same image to Intel-based desktops that they do to AMD-based desktops. It also appears that this is unique to their desktop image, and any HP AMD-based laptops are unaffected by the problem. Because the image for both Intel and AMD is the same all have the intelppm.sys driver installed and running. That driver provides power management on Intel-based computers. On an AMD-based computer, amdk8.sys provides the same functionality. Microsoft points out in a Knowledge Base article that installing both drivers on the same computer is an unsupported configuration, putting the blame on the OEM that deploys the image. The article in question was written when the same problem occurred after installing Service Pack 2 for Windows XP.

Ordinarily, having intelppm.sys listed in the registry on an AMD-based computer appears to cause no problems, so long as the binary does not actually run. On HPs images, the driver is not installed, even though the driver is listed in the registry and supposed to load. However, on the first reboot after a service pack installation, it causes a big problem. The computer either fails to boot, as in my case, or crashes with a STOP error code of 0x0000007e. If you see that error code you almost certainly have this problem. The computer will boot into safe mode because the drivers are disabled there. Please note here that simply having the intelppm.sys file on your computer is not the problem so searching for it in the Windows directory is not relevant. Nor is only having a directive in the registry to load it a problem. It must be running to cause a problem, which means the file has to both exist on the disk, and the registry has to be configured to load it. Therein lies the problem. HPs images have the registry key set but no driver on disk. When the service pack is installed the pre-existing directive in the registry is read, the installer lays down the driver on the disk, and on the next reboot it launches, causing the crash.

You may not see the error code because the computer reboots too fast. To force the computer to stop when it crashes, you need to set an option during startup. To do so, hit the F8 key during restart right when you see the black Windows XP screen come up. Then select the "Disable automatic restart on system failure" option, as shown below:

To fix the problem, boot into safe mode, or boot to a WinPE disk, or into the recovery console, and disable the intelppm.sys driver.

WARNING: Do NOT under any circumstance disable the intelppm driver on an Intel-based computer. It will make your computer not boot! If your computer will not boot because you disabled the intelppm driver on an Intel-based computer, follow the directions in the Recovery Console section below.

If you have an AMD-based computer, however, you do not need the intelppm driver and can disable it. Boot into Safe Mode by hitting the F8 key as above, but select Safe Mode instead. You will need your Administrator account to log on in safe mode. To disable the driver, take the following steps:

If you booted into the recovery console, from a command prompt, run "disable intelppm"

If you booted into safe mode you can run "sc config intelppm start= disabled"

If you booted into WinPE, you have to manually edit the registry. Do this:

  1. Run regedit
  2. Click on HKEY_LOCAL_MACHINE
  3. From the File menu, select "Load hive"
  4. Navigate to %systemdriver%\Windows\System32\Config on the dead system and select the file name System
  5. Name it something you can remember, such as "horked"
  6. Navigate to horked\<the current control set>\Services\IntelPPM. See below for how to determine which one is the current control set.
  7. Double click the Start value and set it to 4
  8. If you did what I did and completely destroyed things by running a disk check, navigate to <the current control set>\Control\SessionManager. Open the BootExecute value and clear out the autochk entries
  9. Reboot

Step 6 asks you to navigate to <the current control set>. Under HKEY_LOCAL_MACHINE\SYSTEM there are typically at least two numbered control sets, and sometimes there are up to four. They are called ControlSet001, ControlSet002, and so on. Control sets hold all the configuration data for the computer, including all drivers that load. One of them is designated the current one, and the others are backups of previous configurations that worked. The control set that is currently used as the current one is the one listed in the "Current" value under HKEY_LOCAL_MACHINE\SYSTEM\Select. That is the control set that you need to modify in step 6. If you modify one of the other control sets it will not solve the problem. You need to modify the current one. If you manage to boot the computer, CurrentControlSet will be a pointer to the current one and you can modify that one. If you boot from the recovery disk you have to figure out which one is the current to modify the proper one. It will not always be ControlSet001.

If this was your problem, the computer should now reboot just fine.

HPs Response

On May 13, 2008 HP posted a support article on this problem. In that article they claim that the Service Pack copies the intelppm.sys driver to the computer even though it was not there before the Service Pack was deployed.

HP is partially correct. On their desktop images the intelppm.sys file does not exist in the %systemroot%\system32\drivers directory prior to installing the service pack. However, on its laptop images the file does exist there. By contrast, on the HP desktop images the intelppm registry key does exist under HKML\SYSTEM\CurrentControlSet, and it directs the driver to start. On the laptop images, the registry key does not exist. This is why HPs desktop images exhibit the problem and the laptop images are fine. It is not the presence of the driver on disk that is the problem. It is the instruction to load it that HP put into the registry that causes the problem.

That would also explain why the SP3 installer lays down the driver file on disk even though it did not previously exist. I would expect that the installer looks at all the drivers listed in the registry and simply makes sure that there are updated versions of all of them, without checking first whether they existed prior to installing the service pack. After all, if a driver is listed in the registry, and the operating system is instructed to load it, developers could very easily make the assumption that the driver is present on the computer and actually does load.

Regardless of whether the driver file is there or not, I still have to say that the problem is that the registry key should not exist on an AMD-based computer, regardless of what files are laid down on disk. It is not the presence of a file that causes a problem, but the instruction to load that file on boot, and that instruction is represented by the registry key. It is perfectly legitimate to lay down all kinds of files on disk during installation but not load them. In fact, HP itself lays down the intelppm.sys file in the i386 directory - the on-disk cache directory of operating system files. This strategy is also used successfully by Microsoft Office, Windows Vista, Windows Server 2008, and several Adobe Products. It prevents the user from needing access to the original disks to update, repair, or modify an installation.

What this means is that if you have one of the affected HP desktop computers you can prevent the problem before it even starts. Before installing the service pack go to a command prompt and run either of these commands:

reg add HKLM\System\CurrentControlSet\Services\Intelppm /v Start /d 4 /t REG_DWORD

sc config intelppm start= disabled

Both commands will disable the driver before you install the service pack and will prevent the problem from ever occuring.

 

Potential impact on Media Center

Two separate posters have reported problems with Windows Media Center after this work-around. At this point, I am not ready to say that this is caused by using the work-around, but if you have this problem, I would appreciate a note to confirm it.

Logically, it could be related. This is pure speculation, but based on what I know about the Digital Rights Management (DRM) in Media Center it may detect the change in hardware, disabling the intelppm driver, as a hostile action and disables viewing DRM protected content. Unfortunately, Comcast Cable puts a DRM signal into some of their cable channels, which means you can no longer watch those channels. You would also be unable to watch previously recorded content. The content provided by Comcast is not actually encrypted, but Windows enforces the DRM nevertheless.

I had a very similar problem with Media Center last year. At the time I was unable to resolve it. However, I would encourage anyone who has this problem to try resetting the DRM components in Media Center. If that does not work, try re-enabling the intelppm driver and see if that helps. It should be safe to do so if the intelppm.sys file is not present in the %systemroot%\system32\drivers directory (check first), and once the computer has booted properly after the service pack installation.  

Bill Castner, who is rapidly becoming my new hero, also posted a solid work-around for Media Center problems over in the AumHa forums. Try that one as well, it may solve your problems too.

 

Second problem, affecting certain AMD motherboards

The second problem type manifests itself in a different error code during boot, and also seems to affect only AMD-based computers. The error code will say something similar to:

Problem was detected and windows has been shut down to protect your computer from damage.
 
The BIOS in this system is not fully ACPI compliant
 
You will then get some information about how to update your BIOS. The BIOS is the basic operating system built into the computer that handles reading and writing from disk and memory, as well as some other devices. That is most likely not your problem. The screen ends with the tell-tale error code: STOP: 0x000000A5. If you have that error code, and you just installed SP3, this is most likely your problem.
 
At the moment, I do not know for sure why this is happening, and I have not personally seen it. The problem appears to be the ASUS A8N32-SLI Deluxe motherboard, also with an AMD processor. Several different AMD processors have been fitted on that board, however, so it seems more likely to be the board than the processor.
 
The solution is simplicity itself: insert a USB flash drive, or some other form of secondary storage mechanism, before booting the computer. The people have that have seen this problem report that it goes away when they do. The catch is that the computer will only boot with a secondary drive attached. If you remove the secondary drive it will no longer boot.
 
It also appears that this could be related to using a USB mouse. If you have a USB mouse, try moving it to the PS/2 port instead (the little round port, you should have received an adapter with your mouse). That seems to resolve the problem without the use of an external USB flash drive.
 
If you have this problem, and either solution helps, or even if they do not help, I'd appreciate a comment on the blog so we can figure out what is going on here.

Other STOP Errors

Every time a service pack is installed, or any major maintenance like it is performed, a certain, very small, number of computers seem to not come back up. The reasons could range from malware on them that is conflicting with the installation or the new files, to bad hardware that somehow failed at that very moment.

For that reason, there may be other STOP errors involved in this problem. Due to the default settings in XP, all of them would result in an endless reboot cycle. Only if there are many of them does it usually indicate a problem with the service pack. A fair number of people are reporting an error code 0x00000024. It usually means either that the file system driver, ntfs.sys, has been corrupted, or you have a hard disk with bad blocks in bad places. It could be totally unrelated to the service pack. At this point, I just do not have enough details to tell. This one seems to be more related to Intel-based computers though.

It is also possible that 0x00000024 has to do with a faulty video driver. I have seen a couple of reports of crashes caused by the ATI Catalyst 8.4 drivers, and one of a crash involving an nVidia driver of some kind, but I do not know which one. To see if that is your problem, try booting into Safe Mode or VGA mode. If VGA mode works you very likely have a video driver issue. Gary Barclay, in a comment below, pointed out that the 8.432 version of the driver may be the one that is faulting, and that version 8.467 appears to work properly. If anyone else can confirm that I'm sure may others will be happy about it.

If you are getting the 0x00000024 error, there are some things to try:

  1. There is some good information in the Microsoft knowledge base on how to trouble-shoot STOP errors. Try following that.  
  2. If you have multiple drives in the computer, disconnect them one by one and try booting. The problem may not be on your primary drive and this could let you isolate which one has the problem.
  3. Run chkdsk /r. The problem could be file system related, and chkdsk could fix it. However, to do that you have to boot the computer successfully. If you have a 0x00000024 error, it will not boot even into safe mode. You will need to follow the instructions in the Recovery Console or WinPE sections below to boot the computer.
  4. Replace the ntfs.sys driver. If the driver file itself has become corrupted there is a backup copy in the %windir%\system32\dllcache folder. If nothing else helps, you could try replacing the version in %windir%\system32\drivers folder with the one from dllcache and see if maybe it was a corrupted file problem.
  5. If you have an ATI or nVidia driver for for your graphics card, notably the ATI Catalyst 8.4, and your computer will not boot, try booting into VGA mode and see if that works. If it does, you almost certainly have a video driver problem. Uninstall the driver and see if Windows will find a better one. If this works for you, please either contact me using the contact link, or post a comment, so others can learn what is really happening here.

There have also been sporadic reports of video driver problems as well as other issues, like the VPN issues. Most of those have to do with some form of third-party software that does not work with SP3. If you have a problem that is not covered here, it would be good if you could let us know. It may be related to SP3, in which case others may have it too. The VPN issue mentioned by one of the posters has me very interested, for example.

Other people are reporting that the computer is complaining that a particular file is corrupted. Sometimes the corruption results in a blue screen, other times something does not work right after the computer reboots.  At this point I am not sure what could be causing this, and I would encourage anyone who runs into that problem to call the Microsoft support line listed above. If they manage to figure out what the problem is, please post back here so the rest of us can find out.

Conflicts with Certain Wireless Card Drivers

Tim Steele read the blog and found that his problem was not solved. After doing some more research he discovered a conflict with certain wireless cards. I asked if I could post his discovery. This is what he wrote:

Some 802.11b wireless cards cause XP to blue screen after installing SP3

If you have any of the following 802.11b wireless cards you'll see a blue screen after installing SP3:

SMC 2635W, Belkin F5D6001, Linksys WPC11 v1, Blitz NetWave Point PC, Xterasys Cardbus XN-2411b, D-Link DWL-520 Revision C, Xterasys Cardbus XN-2411b, Fiberline FL-WL-200X, 3com Office Connect 3CRSHPW796, Corega WLPCIB-11, SMC 2602W V2, and D-Link DWL-520 Revision C.

These cards all use the adm8211 chipset. The driver was provided by ADMtek and badged by the vendors. The last version on the net seems to be 1.80. The D-Link driver is WHQL certified and signed.

There are plenty of adm8211 cards out there inside machines which are about to update to SP3, Windows Update doesn't check whether you have one of these cards before automatically installing SP3, so the effect for many users will be a mysterious blue screen and no obvious cause.

It's not clear whether the vendors or Microsoft should be responsible for fixing this, but surely as a minimum SP3 should not install on machines with this hardware.

Conflicts with Anti-Malware Software

Gregg Keizer wrote an interesting couple of articles in Computer World (second piece is here) about conflicts between Symantec's anti-malware suites and SP3. It appears all but certain that the anti-malware suites cause registry corruption, failures in device manager, and other problems, when you install SP3. An interesting thread on Symantec's support forums documents some of the problems. There are directions for how to disable Symantec's software in another thread.

The security suites add significant hooks into the operating systems. It is quite possible that they will prevent a major installation, such as a service pack, from completing properly. For that reason, you should at the very least disable any anti-malware or security software you have installed prior to installing the service pack. If you can uninstall it, install the service pack, and then reinstall the anti-malware software, you will probably have even greater chance of success.

Using the Recovery Console in XP

If you cannot boot into safe mode you can try using the Recovery Console in Windows XP. This requires you to have a Windows XP CD. Knowledge Base Article 307654 has directions on how to use it. You do not need to follow the instructions for how to install it. In fact, if you have a problem like the 0x00000024 issue above, you probably can not boot from an installed recovery console anyway.

In brief, to boot from the recovery console in XP, do this:

  1. Insert your Windows XP CD
  2. Boot the computer
  3. Select to boot from the CD. On many computers you have to hit a button to do that. On Dell computers the button is usually F12. On HP it is usually ESC.
  4. The computer will work for a while and eventually you get a screen that says "Welcome to Setup". Hit the R key here
  5. If will ask you which installation you want to boot. If you have several XP installations on this computer, select the one you want. Of course, if you have several installations, and one still works, you would not need these steps.
  6. Type the administrator password for the installation you need to repair.

At this point, you should be at a command prompt. The commands you can run are very limited and they are often different from what you are used to. If you have disabled the intelppm driver on an Intel-based computer and need to re-enable it, run "enable intelppm SERVICE_SYSTEM_START".

If you need to run chkdsk you can do it from the recovery console window as well. The C: drive is the boot volume in your Windows XP installation. To run the full check run "chkdsk c: /p /r"

 

Build a WinPE Disk on a Flash Drive

Another option, recommended for advanced users, is to have a Windows PE disk handy. Windows PE is a miniature version of Window that can boot from a CD, and starting with Windows Vista, a USB Flash Drive. I wrote up directions on how to build a Flash Drive with Windows PE in the Vista book, and there are now also directions on TechNet. You need to have access to a computer that boots, and you need a copy of the Automated Installation Kit (WAIK). Once you burn the AIK image to a disk you can install it and start building your Win PE disk.

Using a Windows PE disk you get access to all the normal tools, like regedit. It has far more features than what you have with the recovery console, but requires a lot more prep work to get started.

 

Removing SP3

A few people decided the problems were sufficient to just remove SP3 altogether. If you have a problem that is not covered above, that may be your best option for the moment. Microsoft just published an article on how to remove the service pack. It includes information on how to remove it even from the Recovery Console, so even if your computer will not boot you should be able to do it.

Posted 07 May 2008 11:29 PM by jesper | 881 comment(s)
Filed under:
Phishing for a Tax Refund

What's wrong with this picture?

If you answered "why would the IRS use a web server in Korea to ask for information about my tax refund" you are a winner!

This is a phishing site preying on people who do not know that all you need to do to get your tax rebate is to file a tax return this year. Apparently, this is the hot new phishing scam, and the IRS has instructions for how to handle it.

The e-mail came in at 21:07 PDT today. By 21:30 PDT it was not recognized as a phishing site by either Internet Explorer or Firefox. By 21:35 Firefox had it marked. Impressive. By 21:40 IE did not have it marked, which I found interesting.

Posted 04 May 2008 09:30 PM by jesper | 2 comment(s)
Filed under:
Warning! Don't run Anti-Malware Software on Your Research Machine

I do not run any anti-malware software on my primary workstation. It's a habit I got into way back when I was doing penetration assessments. I showed up at the site, fired up ye olde laptop, and went to run some tool. ...went to run some tool. Hey, where did that tool go? It was there when I left home?!? Turns out the anti-malware software that the company shoved down on my laptop had removed the tools I needed to do my job because they were deemed to be malware. Today I had another reminder of why this is probably a good policy for me.

On a whim I decided to run the latest beta of the OneCare Live Safety Scanner on my primary laptop. I was very surprised when the scanner actually found some malware on my computer. This was the first time any anti-malware had found any malware on any of my computers since some free anti-virus for the Macintosh found a virus on a floppy disk I put in my Mac II Se, in 1991. After a 17-year hiatus, I finally managed to contract some malware!

After the scan was finished I had my explanation:

The infection was in my dev projects directory, in a directory call moztests. That's where I put the files I wrote when I was working on what Mozilla eventually patched as MFSA2007-27. OneCare just cleaned my research off my computer!

Do not misunderstand me. I am not saying that you should not use anti-malware software. I am not even saying that you should do as I say, not as I do, as many security "experts" tend to say. All I am saying is that you need to consider the consequences of all software you install. While it is true that I do not see much malware on any of the computers I manage, that is not a reason to not run anti-malware on them. You need to consider the risks of not doing so. I would never leave our kitchen computer, the closest thing to a kiosk that we have in my house, without anti-malware. Likewise, I find it wise to run it on the kids' computer. My laptop, on the other hand, is used for all kinds of work where the anti-malware would get in the way, so I refrain from it, accepting the risk that I may, inadvertently, one day click on something I shouldn't. To at least minimize that risk I run as a standard user in Windows Vista.

Furthermore, there is one additional thing you should consider. If we took the advice of some authorities and stopped running anti-malware software, would the status quo - the state where we really do not find much active malware - remain? Of course not. Right now the malware purveyors are mutating their software at extremely rapid rates, producing, literally, millions of new malware every year. At an event last week I heard a figure that we are on track to see 5 million unique pieces of malware again this year. Yet, most people I talk to say their anti-malware solution never finds any of it on their computers. More than likely that is due in large part to the fact that the vast majority are mutations of earlier versions; created to stay ahead of the anti-malware software. If we remove anti-malware software from the eco-system we would make it that much easier for the bad guys to control us. They could stop the mutation arms race and focus instead on getting fewer versions deployed to more computers, and we would have no hope of catching any of it. Therefore, the advice to not run anti-malware is unsound at best. It has simply become a cost of using a computer these days; a cost of keeping the eco-system as sound as is possible with a technology-only solution.

However, you may want to think twice about anti-malware on a computer you use for vulnerability research.

Posted 01 May 2008 12:20 PM by jesper | 5 comment(s)
Filed under:
Quantum Security

The May 2008 issue of TechNet Magazine is out. It has an article in it that I have been wanting to write for a long time, called Quantum Security. In it I posit the argument that there are some fundamental laws of security, similar to the laws of physics, which we must not ignore in our risk management practices. I also got to include a revised version of the age-old Annualized Loss Expectancy (ALE) equation. Anyone who has taken the CISSP exam should be familiar with ALE. I believe the equation in common use is outdated and fails to account for the modifications we make to systems when we apply security to them. To properly address risk we need an updated version of the ALE. The article includes the rationale.

 The article is available online, but I think the print version looks a lot nicer. Let me know what you think about it.

Posted 22 April 2008 06:37 PM by jesper | 2 comment(s)
Filed under: ,
How to remove the security warning, or should you?

This morning there was an interesting question in the Windows Vista Security Newsgroup. The poster had written an application that users were downloading. However, when they ran the application they received a warning dialog, like this one:

The poster wanted to remove this warning dialog to avoid confusing users.

This dialog is created because Internet Explorer, and some other applications, add a bit to the file to mark it as being downloaded from the Internet. It serves as a warning that this may be untrusted content. If the file is digitally signed, the warning does not have the red shield, and the publisher is listed in the dialog, but otherwise it stays the same. The poster asked if getting a digital certificate and signing the executable would get rid of the warning. It will not. This warning is there to warn the user. I think it is an important safety mechanism, and that, rather than trying to remove the warning, which is possible, we should help the user understand it. Therefore, here is my response:

You should definitely digitally sign the application no matter what. However, that will not remove the warning. It just will have your (or your company's) name in the dialog and won't say "Unknown Publisher."

Technically, there is a way to get rid of this warning, but it is there as a warning to end users. If you remove it here, you would also remove it for all other executables. That would put your users at significant risk. If you programmatically remove that warning, you would be responsible for putting them at significant risk; a responsibility that I am pretty sure you do not want to accept.

Rather, I would suggest that you take the opportunity to educate your users. Teach them that the warning is there so that they can assess whether they want to accept the risk involved in opening applications off the Internet. In this case, you have digitally signed the application so they can trace it to you and have assurance that they are, in fact, opening a trusted application. Anytime they get a dialog like this they should evaluate it and see if they really want to accept that risk or not. If the publisher is unknown, they have no way to tell who wrote the application, and should consider it a higher risk.

Update, April 22, 2008:

Based on the comments, is quite obvious that I was not clear enough in the post.Yes, IE adds a flag to downloaded file through alternate data streams, and there are tools that can show you those streams, and even the built-in unzip tool in Windows adds the same flag if the archive that was unzipped has the flag set. The point, however, was not how a very technically savvy user can download an advanced tool and manually review the alternate data streams, and possibly remove them. If all you want to do is remove that flag it would be far simpler, in fact, to uncheck the box in the dialog for "Always ask before opening this file"; although maybe inspecting and twiddling with alternate data streams would be more satisfying for some segment of computer users.

The point I was trying to make was that a lot of people in the tech community focus on hiding warnings from the user so that the user is not bothered, ostensibly with data they are not competent to parse. That is wrong. There are very good reasons for these warnings in many cases. Rather than trying to prevent users from seeing them we all need to do our part to help users understand what they are seeing and make appropriate decisions based on that data. That would provide a savvier user base and a more secure eco-system in the long run. We cannot keep focusing on preventing people from making risk management decisions any longer. If we do, eventually, they will realize they do not have the skills to do so, and that nobody is willing to help them aquire those skills. At that point, the eco-system will be in danger of collapse.

Posted 21 April 2008 11:10 AM by jesper | 9 comment(s)
Filed under:
Today's forecast for O'Hare: Lots of Vulnerable Computers

Olliver Sommer, a German Small Business Server MVP, flew home from the Microsoft MVP Summit via O'Hare Airport in Chicago. While there, he spotted this wonderful piece of advice for how to configure your computer to use the airport wireless network.

The document is meant well, but lacks a bit in the execution. It recommends that you disable exceptions in Windows Firewall because doing so stops attacks through Windows Messenger while on the wireless network. Of course, you would only get attacked through Messenger if you actually accept unsolicited requests from people.

The document then goes on to show how to disable the exceptions. It even has a screenshot; which would work far better if the screenshot showed the exceptions disabled. Instead, the screenshot shows the firewall turned off entirely. One has to wonder how many people followed the advice in the picture as opposed to the text.

Then comes the piece de resistance. The document recommends you disable Simple File Sharing. Not only does this presume that you are using Windows XP Pro, as Windows XP Home does not permit you to turn off Simple File Sharing. Simple File Sharing, as it turns out, is partially a user interface feature that governs which sharing user interface you see. However, there is an internal feature as well. in fact, Simple File Sharing is essentially the Force Guest feature. If Force Guest is turned on all users connecting from the network connect as Guest. In other words, by disabling Force Guest, you would enable remote users to connect using as an authenticated user, potentially even an administrator. Force Guest ensures that the only thing a remote user can do is read, and write if you have permitted that, the files you have made available to network users. Turn off Force Guest and a user that guesses the password of your administrative account can take over your computer.

In other words, the guidance that O'Hare Airport is publishing has you disable the firewall and enable traditional file sharing so anyone can start guessing passwords against your computer. One wonders if this is perchance some new Transportation Security Administration (TSA) inspection scheme to investigate what is on your laptop?

Posted 19 April 2008 09:38 PM by jesper | 1 comment(s)
Filed under:
Apparently I am an Australian MVP

The Australian MVPs at the Microsoft MVP Summit this week were overshadowed in national pride only by the Canadians, by a lot. So, the Australian's coopted a Brit and, well, me, so their attendance numbers would look better. The result is on Flickr.

So guys, does that mean you're going to have me come back down under anytime soon, like, say, during diving season?

Posted 17 April 2008 03:48 PM by jesper | 2 comment(s)
What I Learned from Attending the Windows Launch Event Today

Today I attended the Microsoft 2008 server wave launch event in Seattle. In the process I learned a number of things:

  1. The launch event apparently does not need to coincide with actually launching anything. Server 2008 launched a couple of months ago. Visual Studio 2008 launched in November 2007, and SQL Server 2008, the third part of the tri-fecta that comprised the launch, will not actually launch until the third quarter this year.
  2. The primary purpose of launch events is apparently to get free junk, and in some cases, other stuff, from a collection of vendors you have never heard of and don't care about. I hung out in the "Ask the Experts" booth for a while, with fellow MVP Alun Jones. I think we answered more questions about "so, what free stuff do you give away" or "would you like to scan my badge for your drawing" than we did on any other topic. We did not actually have any drawing, nor any free stuff to give away other than actual knowledge, or at least, opinions. We answered precious few security questions.
  3. Explaining to people that you are a security "expert" apparently does not stop them from asking you questions about SharePoint.
  4. What the one sausage said to the other sausage in the frying pan (yeah, it was bad, and it is not really worth the bits to relay it)
  5. Windows Firewall with Advanced Security stops malware from spreading on your network. Yes, that's right. I went to the security presentation and, apparently, in conjunction with System Center, Windows Firewall will somehow cause malware to ask for permission before sending your credit card to Russia and your bank account to China. Had I not known already that no host-based firewall can stop malware running  on a computer from sending anything to anyone I might actually have been convinced by this claim. As it were, I was just kind of appalled that Microsoft now officially makes the same ludicrous and impossible claims that the security vendors do.
  6. Network Access Protection (NAP) provides "Secure Access Control" to your network. Apparently it does this by giving your computer a bogus IP address. This means that the domain admin that logs on to a workstation cannot disable the built-in firewall. Yes, that is correct, during the demo, the presenter actually logged on to a Vista client using a domain admin account (bad), and then claimed that NAP can stop the locally logged on user from doing whatever that user possibly pleases to do (untrue).

At that point, I decided I had had enough marketing shill for one day. The event was interesting, and I think most of the attendees got some value out of it in that they learned a little about some new features. however, the NAP issue deserves some additional commentary.

In case you did not know, NAP is a policy compliance feature in Windows Server 2008. It will ask well-meaning clients to provide their state of health before they get to communicate on the network. It can use three different "enforcement" mechanisms. One is DHCP based. The client simply does not get a proper lease. One is IPsec based - the client does not get the proper material to negotiate IPsec security associations. And the third is 802.1x-based - the switch won't open the port to the correct network until the client is considered good.

As you can probably tell, the DHCP based "enforcement" is extremely weak. The user on the client, or some piece of malware, can simply configure a valid IP address and go to town on the network. 802.1x can be easily defeated by installing a hub in front of the switch, letting a legitimate client open the switch port, and then stealing the port by setting your MAC address on a rogue host on the same hub to the same address as the legitimate client. The IPsec enforcement is considerably more difficult to circumvent, but you can still do it by making the NAP client lie.

The short story then, is that NAP still relies on the client to tell the Network Policy Server (NPS) what its state is. If the client lies, the NPS server has no way to know the difference, and will trust it. I actually helped design NAP, years ago, and this was a weakness we were very aware of then, but saw no way around. Yet, NAP is still valuable. It is a great technology to ensure that compliant clients stay compliant; that non-malilcious clients have all the necessary policies deployed, the right patches installed, the correct anti-malware software running and updated, and so on. Every network security administrator should definitely spend some time with NAP and consider whether it could provide another valuable tool in their arsenal.

However, NAP does NOT provide "Secure Access Control" to the network. It does not do so because it cannot provide true security. It cannot prevent malicious clients from getting on the network. Unless it is used with IPsec enforcement, in conjunction with Server and/or Domain Isolation, it also cannot prevent a malicious client from communicating with any other computer on the network. None of that makes it useless, nor does it mean that it is not a security technology. Policy enforcement, even when only on clients that choose to comply, is still a security concern, and a valid objective. Keeping managed clients managed is important. However, it is also really important that we understand the limitations of the technologies we are using, which is why I wrote this post.

Posted 01 April 2008 07:55 PM by jesper | 7 comment(s)
Filed under: , ,
More Posts Next page »